umputun / stash / 20611707767
84%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 24
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 83.964% (+0.3%) from 83.646%
20611707767

push

github

web-flow 
feat(store): add zero-knowledge client-side encryption (#47)

* docs: add zero-knowledge encryption implementation plan

Client-side encryption where server stores opaque blobs. Uses $ZK$ prefix
for detection, AES-256-GCM encryption, and integrates at Go library level.

* feat(store): add zero-knowledge client-side encryption

add optional client-side encryption where server never sees plaintext.
encryption/decryption happens entirely in Go client library using
AES-256-GCM with Argon2id key derivation. server stores opaque $ZK$ blobs.

- add ZKCrypto with Encrypt/Decrypt methods (app/store/zkcrypto.go)
- add ZKEncrypted field to KeyInfo, detect $ZK$ prefix in db.go
- add WithZKKey(passphrase) client option (lib/stash)
- web UI shows green shield icon, hides edit for ZK keys
- add e2e tests for ZK display and behavior
- document ZK encryption in README and CLAUDE.md

* fix(store): prioritize ZK encryption over server-side secrets

ZK-encrypted values in secrets paths were being double-encrypted,
causing the $ZK$ prefix to be lost and incorrect UI display.

now the store skips server encryption when value has $ZK$ prefix.
this allows ZK values to be stored in secrets paths while maintaining
both the Secret and ZKEncrypted flags for proper UI indication.

adds unit test for ZK precedence and e2e test for combined display.

* feat(store): add ZK payload validation for secrets paths

validates $ZK$ prefixed values only in secrets paths:
- checks valid base64 encoding
- enforces minimum 44-byte payload (salt + nonce + auth tag)
- rejects malformed ZK payloads to prevent accidental plaintext storage

non-secrets paths allow any $ZK$ prefixed values for flexibility
with other encryption schemes or client implementations.

updates documentation with ZK + secrets path combination behavior.

* docs: remove emoji from shield icon description in README

the UI uses an SVG icon, not a Unicode emoji

* test(lib): add zk_test.go for client library ZK crypto

tests co... (continued)

224 of 250 new or added lines in 6 files covered. (89.6%)

3330 of 3966 relevant lines covered (83.96%)

100.19 hits per line

New Missed Lines in Diff

Lines Coverage File
2
87.27
 0.89% lib/stash/client.go
12
87.23
 app/store/zkcrypto.go
12
86.05
 lib/stash/zk.go
Jobs
ID Job ID Ran Files Coverage
1 20611707767.1 24
83.96
 GitHub Action Run
Source Files on build 20611707767